CirrostratusIn our adc security policy events, one of the website always gets blocked for some of its contents on the page.
logs point to few violations including modified domain cookie which has a cookie name with two cookie values. if this is the block reason, how do we trace what definition of cookie is it checking against to block the page?
EmployeeDo you mean legitimate clients are getting blocked because of the modified domain cookie violation? In the Request Details section of the violation, you should be able to see the exact value of the domain cookie that was modified by the client. Check with your app developers to determine if that modification should be allowed or blocked.
Cirrostratusyes, legitimate clients get blocked for some of the contents on the page. i am trying to find out where this cookie is defined within f5 against which it does the check?
EmployeeThe F5 cookie that is set to secure your domain cookie starts with the prefix TS and is then followed by a hexadecimal string. Do you have a learning suggestion to add your domain cookie to the allowed cookies list?
EmployeeIf "Modified domain cookie(s)" violation is detected, then this means that this cookie (or wildcard, which matches this cookie) is defined as enforced on "Security ›› Application Security : Headers : Cookies List" page.
"Enforced" means that cookie can not be modified by user and in case of any modification "Modified domain cookie(s)" violation must be detected.
"Enforced" need to be used for cookies (like session ID), which are set by application via "Set-Cookie" header and can not be modified by user.
If in your case you expect, that cookie can be modified, then you need to change it's type to "Allow".
Thanks, Ivan